Last week, Neil and l went on a trip to Birmingham to learn all about GDPR. Then we did an exam, passed the exam, and had to go to Bachhus Bar for a beer because our brains hurt. Here are some of the key things we learned that day.
Now, we're not going to pretend this was the most riveting course we've ever taken...
... I mean, neither of us have any background in law, and there was a hell of a lot of terminology which we had to keep up with. But we know how important it is to both our clients and ourselves to be clued up on what we can do with our data when May 25th finally comes around. We all want our personal data to be secure and protected, and no one wants to be slapped with a hefty ol' fine; it really is important to be as informed as you can be.
So, here are some of the noteworthy things we learned at IT Governance's EU General Data Protection Regulation foundation training course, written in the simplest of terms.
First, let's go through some key GDPR definitions, just so I'm not talking too much gibberish.
This means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
This means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- ‘Personal data'
This means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- 'Natural Person'
A natural person refers to a living, individual, real-life human being.
- 'Data subject'
A data subject refers to an individual who is the subject of personal data. So, the data subject is the individual whom particular personal data is about.
The nature of European law
Turns out there are two main types of legislation (who knew?!)
Directives require individual implementation in each Member State (Member State meaning, all the countries in the EU). They're implemented by the creation of national laws approved by the parliaments of each Member State.
An example of a directive is the European Directive 95/46/EC. An an example of a Member State implementing a legislation like this is when the UK implemented the UK Data Protection Act 1998.
Now, this is what EU GDPR is. These babies are immediately applicable in each Member State, without the need for local implementations like directives. This means it automatically applies to each Member State on the day of May 25th.
Still with me? Okay good. Let's look into the history of data protection laws.
History of the EU’s data protection laws
- Post WWII, concerns about protection of human rights.
- 1950, European Convention on Human Rights (ECHR) introduces privacy.
- 1980, OECD guidelines on transborder data flows.
- 1981, Council of Europe Convention 108 –eight principles for protecting personal data Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data –Different Member States implemented their own laws to reflect this.
- 1995, EU Data Protection Directive (95/46/EC).
- 1998, all Member States transpose into law (e.g. UK’s DPA1998): –Inconsistent protection of individual rights,–Uneven organisational playing field.
- 1998, Human Rights Act (HRA 1998) –Article 8 ‘right to privacy’.
- 2000, The EU proclaimed the Charter of Fundamental Rights of the European Union (Charter), which became legally binding as EU primary Law with the Lisbon Treaty (2009) –Article 8 ‘right to Data Protection
- 2016, EU GDPR approved, becomes law two years from publication.
The GDPR has 11 chapters
And in those 11 chapters are 99 articles. Now, we're not going to go through each article, as that wouldn't really be a blog post; it'd be a pretty lengthy 'GDPR for Dummies' handbook. But here's the general gist:
- Chapter I General Provisions: Articles 1 –4 1
- Chapter II Principles: Articles 5 –11 2
- Chapter III Rights of the Data Subject: Articles 12 –23 3
- Chapter IV Controller and Processor: Articles 24 –43 4
- Chapter V Transfer of Personal Data to Third Countries: Articles 44 –50 5
- Chapter VI Independent Supervisory Authorities: Articles 51 –59 6
- Chapter VII Cooperation and Consistency: Articles 60 –76 7
- Chapter VIII Remedies, Liabilities and Penalties: Articles 77 –84 8
- Chapters IX –XI Various specific provisions: Articles 85 –99
Who is the GDPR for?
The GDPR is there to protect the rights of 'natural persons', meaning living individuals like you and I. 'Natural persons' have rights associated with:
- The protection of personal data
- The protection of the processing of personal data
- The unrestricted movement of personal data within the EU.
What kind of data are we talking about?
In material scope:
- Personal data that is processed wholly or partly by automated means
- Personal data that is part of a filing system, or intended to be.
Out of material scope:
- Personal data used in the course of an activity outside of EU law
- Personal data used in border checks, asylum and immigration status
- Personal data used in relation to a purely personal activity
- Personal data used for the purpose of crime prevention, etc.
EU institutions’ processing of personal data will be adapted to the GDPR. The Regulation applies to 'data controllers' and 'processors' in the EU, irrespective of where processing takes place.
Hold up, what are 'controllers' and 'processors'?
According to Article 4 of the EU GDPR, the different roles within the new legislation are:
- Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
- Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
So, the processor processes personal data in accordance to the controller's instructions. A nice example of this comes from Advisera:
A bank (controller) collects the data of its clients when they open an account, but it is another organisation (processor) that stores, digitizes, and catalogs all the information produced on paper by the bank.
Both controllers and processors are responsible for handling the personal data of these customers.
What if you're not in the EU?
The territorial scope applies to processing activities that are related to:
- Goods or services, irrespective of whether payment is required.
- The monitoring of data subjects’ behaviour within the EU by using cookies etc.
The GDPR territorial scope applies to the processing of personal data by 'controllers' who are not established in the EU, but where Member State law applies by virtue of public international law.
So even if you're not in the EU, if you're offering goods or services to data subjects in the EU, you've still got to abide by the new rules. In fact, EU representatives must be designated by controllers or processors outside of the union, like america or china (or us in a years' time).
Big ol' fines
In Article 83, we see the penalties for GDPR non-compliance.
1. €10,000,000 or, in case of an undertaking, 2% total worldwide annual turnover in the preceding financial year (whichever is greater).
This relates to the following Articles:
- 8: Child’s consent
- 11: Processing not requiring identification
- 25: Data protection by design and by default
- 26: Joint controllers
- 27: Representatives of controllers not established in EU
- 26 –29 and 30: Processing
- 31: Cooperation with the supervisory authority
- 32: Data security
- 33: Notification of breaches to supervisory authority
- 34: Communication of breaches to data subjects
- 35: Data protection impact assessment
- 36: Prior consultation
- 37 –39: DPOs
- 41(4): Monitoring approved codes of conduct
- 42: Certification
- 43: Certification bodies.
2. €20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year (whichever is higher).
And this relates to these following Articles:
- 5: Principles relating to the processing of personal data
- 6: Lawfulness of processing
- 7: Conditions for consent
- 9: Processing special categories of personal data (i.e. sensitive personal data)
- 12 –22: Data subject rights to information, access, rectification, erasure, restricton of processing , data portability, object, profiling
- 44 –49: Transfers to third countries
- 58(1): Requirement to provide access to supervisory authority
- 58(2): Orders/limitations on processing or the suspension of data flows.
Principles and accountability
Another important thing to consider is proving that you're compliant and accountable for your data. There are six principles which will help you with this;
All personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up-to-date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security.
To follow these six principles, you need to update your privacy notice on your website to explain your intentions with your customers' data in an explicit, easy to understand way, leaving no room for confusion whatsoever.
Processing will only be lawful if one of the following conditions is met:
- Data subject gives consent for one or more specific purposes (so, they checked a tickbox which clearly stated what they were signing up to, for example)
- Processing is necessary to meet contractual obligations entered into by the data subject
- Processing is necessary to comply with legal obligations of the controller
- Processing is necessary to protect the vital interests of the data subject (i.e. life and death scenarios)
- Processing is necessary for tasks in the public interest or exercise of authority vested in the controller
- Processing is for the purposes of legitimate interests pursued by the controller.
Conditions for consent
- Controllers must be able to demonstrate that consent was given
- Written consent must be clear, intelligible and easily accessible, otherwise not binding
- Consent can be withdrawn any time, and it must be as easy to withdraw consent as give it
- Consent to processing data is not necessary for the performance of a contract
- Ticking a box or choosing appropriate technical settings is still valid
- 'Inactivity' is insufficient, data subjects must 'opt into' receiving marketing communications.
For a child's consent, there are different conditions.
- If consent is given and the child is at least 16 years old
- Below the age of 16 years, parental authorisation is required
- Member States may reduce the definition, but not below 13 years (to be safe, many member states still use the age-16 mark regardless)
- The controller must make reasonable efforts to verify authorisation
- Rules on the validity, formation or effect of a contract in relation to a child shall not be affected
- Information Society Services such as Google, eBay etc.
Prohibited special categories of data
You're not allowed to process any data relating to:
- Ethnic origin;
- Political opinions;
- Philosophical beliefs;
- Trade union membership;
- Genetic data, for the purpose of uniquely identifying a natural person;
- Bio-metric data, for the purpose of uniquely identifying a natural person;
- Health data;
- Concerning a natural person's sex life;
- Sexual orientation.
The only exceptions to this is if:
- The data subject has given explicit consent
- It is necessary to fulfil the obligations of controller or of data subject
- It is necessary to protect the vital interests of the data subject (i.e. a life-or-death scenario)
- Processing is carried out by a foundation or not-for-profit organisation
- The personal data has manifestly been made public by the data subject
- Establishment, exercise or defence of legal claims
- Reasons of public interest in the area of public health
- Archiving purposes in the public interest
- A Member State has varied the definition of a special category.
When obtaining personal data, you need to provide the data subject with the following to ensure fair and transparent processing:
- The period of time that the data will be stored
- The right to rectification, erasure, restriction, objection
- The right to data portability
- The right to withdraw consent at any time
- The right to lodge a complaint with a supervisory authority
- The consequences of the data subject’s failure to provide data
- The existence of automated decision-making, including profiling, as well as the anticipated consequences for the data subject.
What should be recorded in your data inventory?
- What data you hold
- The purposes of that data
- Any third-party processors and what info is shared with these
- Trans-border data flows
- How long you keep data for and how you dispose of unnecessary data
- Any data outside of the EU.
And you must provide any of this information or communication referring to the data subject in a concise, transparent, intelligible and easily accessible form — using clear and plain language.
You've also got to facilitate the exercise of data subjects’ rights. For example, if a data subject requests access to their data, you have 30 days to do so. The exception to this is if the requests are excessive or vexatious. The responsibility is on you, the data controller, to prove why this might be excessive or vexatious.
Rectification and erasure
Your data subjects have the right to the rectification of inaccurate or incomplete personal data on them. They also have the 'right to be forgotten' where one of the following grounds applies:
- The data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- The data subject withdraws the consent on which the processing is based and where there is no other legal ground for the processing
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing
- The personal data have been unlawfully processed
- The personal data have to be erased for compliance with a legal obligation
- The personal data have been collected in relation to the offer of information society services.
Cyber-security and GDPR obviously go hand-in-hand. To be compliant, you need to make sure there's ongoing confidentiality, integrity and availability of your systems. You need a process for regularly testing, assessing and evaluating the effectiveness of any security measures you've implemented. And if processing is high-risk to cause distress to a data subject, it's mandatory for you to perform a Data Privacy Impact Assessment (DPIA).
In the event of a data breach 'leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data stored, transmitted or otherwise processed', data controllers are obliged to report it to the relevant supervisory authority without undue delay. This means immediately, and no later than 72 hours after you first become aware. If the report is not made within 72 hours, a justification for the delay must be provided. Oh, and the processor needs to notify the controller also without undue delay after becoming aware of a personal data breach.
Telling your customer
Where there is a high risk to the rights and freedoms of natural persons, the controller must communicate the personal data breach to the data subject without undue delay. This communication of the breach to your data subject needs to be described in clear and unambiguous terms. A supervisory authority may direct controller to notify data subject if they consider a personal data breach to be high-risk.
Data protection officers
Lots of large-scale companies will be hiring full-time Data Protection Officers in the coming weeks to help them stay compliant. Their job is to inform and advise, monitor compliance, provide advice relating to data protection impact assessments, cooperate and liaise with the supervisory authority, and to be a point of contact for data subjects. They're bound by confidentiality, and need to have no conflict of interest arising from additional tasks or duties.
Remember, there is no grace period.
The regulation entered into force on 24th May 2016, and applies immediately from 25th May 2018. So if you've not started thinking about how your own business could get compliant, now's definitely the time.
This blog shouldn't be treated as legal advice for your company — it might, however, be a good starting point for your research. The IT Governance course we attended last week takes you through all 99 articles, some of which we've obviously not covered here. We really recommend you read through the new legislation and research all the resources available to you for when May 25th comes around. And you could even take a course to help you get your head around it, like we did!